From

Thank you

Sorry

If you've run a publicly visible server with open SSH access and looked through your auth logs once in a while, you'll have noted a large number of seemingly random login attempts. Unless you restrict SSH access to a list of specific source IP addresses, anyone on the Internet can attempt to log into the box, and large numbers of individuals running scripts will do just that. For the most part, smart security will reduce this threat to nothing more than a nuisance, but it's still relatively interesting to see what's going on with those attempts.

A few weeks ago, I began parsing the logs created by denyhosts, a *nix utility that watches for invalid login attempts and shuts off access to source IP addresses that fail to successfully log in after a configurable number of chances. It's a fantastic utility that will decrease the noise your server sees on an ongoing basis. If you haven't already set up denyhosts on your visible servers, you should do that right now, then come back and read the rest of this -- or read on to understand why you should.

I began gathering and parsing the denyhosts data in a semi-scientific manner. I was watching hosts in the United States and Europe that were running on six different network providers and cataloging every IP that attempted access. Denyhosts would shut down an IP after 10 failed attempts on the same login, or across multiple logins, thus limiting the data I collected to IP addresses ostensibly trying to break in. The results are not really up to snuff for what I would consider an exhaustive research project, but for our purposes, they're interesting enough.

Two of the hosts that were monitored were on the same public IP subnet. One of those boxes hosts a sizable number of domains and websites, hosts email for a slightly smaller number of domains, and is a registered DNS server. The other box does nearly nothing, but acts as a firewall and runs a few small services. You might think the busy server would see a higher number of login attempts than the other because it has a much larger presence, in terms of the services it exposes. I mean, attacking Web servers is about as old as Web servers themselves.

The results were the exact opposite. Within a one-week period, the busy server blocked 47 IP addresses, while the quiet box blocked 86, nearly twice as many. I can only guess that because the quiet box is acting as a firewall and gateway, its IP address was seen by a large number of websites and servers across the Internet, and this caused it to be added to pingback lists for further perusal. Rather than Web servers, the focus was on what appeared to be an edge gateway. I suppose that makes some sense -- if you can break into the gateway, there may be much more behind it than a Web server.